Virtumonde and Virtumonde.generic

**aicstpnin** · 2007-11-30, 23:38

Now having Kaspersky scan...

ComboFix 07-11-30.4 - HP_Owner 2007-11-30 17:09:00.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
D:\I386\Apps\APP07885\src\HPSummer2005.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\I386\Apps\APP07885\src\HPSummer2005.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-27 21:37 . 2007-11-27 21:37 1,042 --a------ C:\net_save.dna
2007-11-27 21:36 . 2007-11-27 22:03 <DIR> d-------- C:\Program Files\support.com
2007-11-27 20:42 . 2007-11-27 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2007-11-27 18:33 . 2007-11-27 18:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterVideo
2007-11-27 08:03 . 2007-11-27 08:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 08:03 . 2007-11-27 18:29 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-11-27 08:03 . 2007-11-27 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 08:03 . 2007-11-30 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 02:17 . 2007-11-27 02:18 <DIR> d-------- C:\Program Files\Philips
2007-11-27 02:04 . 2005-01-28 13:44 5,525,504 --a------ C:\WINDOWS\system32\setb8.tmp
2007-11-27 01:53 . 2004-04-23 00:00 116,736 --a------ C:\WINDOWS\system32\CNMLM5y.DLL
2007-11-27 01:53 . 2004-04-23 00:00 7,680 --a------ C:\WINDOWS\system32\CNMVS5y.DLL
2007-11-27 01:52 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-27 01:52 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-26 21:31 . 2007-11-26 21:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:06 . 2007-11-26 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 18:05 . 2007-11-26 18:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-22 01:00 . 2007-11-22 01:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Creative
2007-11-22 00:34 . 1999-10-10 12:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-11-22 00:28 . 1999-12-12 12:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-11-22 00:28 . 1999-11-17 12:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-11-22 00:27 . 2007-11-22 00:33 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-11-22 00:27 . 2007-11-22 00:27 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-11-22 00:24 . 2007-11-22 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2007-11-22 00:20 . 2007-11-22 00:34 <DIR> d-------- C:\Program Files\Creative
2007-11-21 23:40 . 2007-11-21 23:40 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-21 23:40 . 2007-11-21 23:40 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-11-21 08:20 . 2007-11-21 08:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 00:49 . 2007-11-21 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 00:15 . 2007-11-27 07:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-20 08:47 . 2007-11-20 08:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-20 08:47 . 2007-11-20 08:47 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-11-20 08:45 . 2007-11-20 08:47 <DIR> d-------- C:\Program Files\WinTV
2007-11-20 08:45 . 2004-02-13 15:58 65,536 --a------ C:\WINDOWS\system32\hcwdlg.ocx
2007-11-20 08:43 . 2007-11-20 08:46 855 --a------ C:\WINDOWS\HCWPNP.INI
2007-11-20 04:49 . 2001-08-17 16:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-20 04:49 . 2001-08-17 17:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-20 04:47 . 2007-11-30 00:00 246 --a------ C:\WINDOWS\system\hpsysdrv.dat
2007-11-20 04:45 . 2007-11-20 03:14 <DIR> d-------- C:\WINDOWS\I386
2007-11-20 04:36 . 2007-11-21 08:24 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-11-20 04:35 . 2007-11-27 02:13 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-11-20 03:57 . 2007-11-20 03:57 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-20 03:24 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-11-20 03:24 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\dllcache\kswdmcap.ax
2007-11-20 03:24 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2007-11-20 03:24 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\dllcache\kstvtune.ax
2007-11-20 03:24 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-11-20 03:24 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-11-20 03:24 . 2004-08-03 23:08 48,640 --a------ C:\WINDOWS\system32\stream.sys
2007-11-20 03:24 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2007-11-20 03:24 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\dllcache\ksxbar.ax
2007-11-20 03:24 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2007-11-20 03:24 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\dllcache\vidcap.ax
2007-11-20 03:15 . 2004-08-04 07:00 260,272 -r-hs---- C:\cmldr
2007-11-20 03:15 . 2007-11-20 02:53 213 -rahs---- C:\BOOT.BAK
2007-11-20 03:12 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-20 03:11 . 2007-11-20 03:11 <DIR> d--hs---- C:\Documents and Settings\HP_Owner\UserData
2007-11-20 03:04 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-20 02:56 . 2004-08-04 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-20 02:56 . 2005-01-23 12:30 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2007-11-20 02:56 . 2007-11-20 02:56 1,837 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_PX743AA-ABA a1110n_YC_0Pavi_QCNH522_E53NAheBLU2_47_IGuppy_SASUSTek Computer INC._V1.03_B3.08_T050509_WXH2_L409_M504_J160_7Intel_8Celeron_93.07_#050919_N10EC8139_Z11C1048C_G80862562_OHP DVD Writer 640b.MRK
2007-11-20 02:55 . 2005-05-06 02:12 <DIR> d-------- C:\Documents and Settings\HP_Owner\WINDOWS
2007-11-20 02:55 . 2005-05-06 02:36 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-11-20 02:55 . 2005-05-06 02:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-20 02:55 . 2005-05-06 02:32 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-11-20 02:55 . 2005-05-06 02:11 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-11-20 02:54 . 2005-05-06 02:12 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-11-20 02:53 . 2007-11-20 02:53 <DIR> d-a------ C:\Program Files\Common Files\LightScribe
2007-11-20 02:53 . 2005-05-06 02:12 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-21 07:10]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 10:06]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 16:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 12:31]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-06 01:59]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-14 23:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 08:03]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 08:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2007-11-20 08:46:32]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 04:28:24]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-05-06 02:15:24]

R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e386e7-9743-11dc-a849-0013d41e6fd1}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 17:11:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 17:12:21
C:\ComboFix2.txt ... 2007-11-29 23:21
.
--- E O F ---

**aicstpnin** · 2007-12-01, 01:29

So I don't think things happened as planned...still 1 virus found and 6 infected files

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 30, 2007 7:26:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/12/2007
Kaspersky Anti-Virus database records: 469622
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 72994
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:12:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\MSHist012007113020071201\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Acr12.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Acr14.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Acr6.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\YPMRAP4V\80CBJF1QX[2].flv Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\YVOJM21R\D4O2G90ID[2].flv Object is locked skipped
C:\Documents and Settings\HP_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX: infected - 1 skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\change.log Object is locked skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX Dropper: infected - 1 skipped

Scan process completed.

**steamwiz** · 2007-12-01, 19:20

Originally Posted by aicstpnin

So I don't think things happened as planned...still 1 virus found and 6 infected files

Actually they did ...

Number of viruses found: 1
Number of infected objects: 6

C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX: infected - 1 skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX Dropper: infected - 1 skipped

D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX Dropper: infected - 1 skipped

This is what happened ...

Combofix deleted the file (3 infected objects) from your HP restore partition here :-

D:\I386\Apps\APP07885\src\HPSummer2005.exe

But before it deleted the files it did 2 things ...

Created a restore point .... in which we now find these :-

D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0003791.exe WiseSFX Dropper: infected - 1 skipped

Then it backed up the file in it's own quarantine folder :-

C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX: infected - 1 skipped
C:\qoobox\Quarantine\D\I386\Apps\APP07885\src\HPSummer2005.exe.vir WiseSFX Dropper: infected - 1 skipped

So to be finally rid of it we now need to do 2 last things ...

1. Delete the C:\qoobox ... folder

2. Purge system restore ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-

Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Run a new KASPERSKY ONLINE SCAN & I guarantee it will be clean this time

steam

**aicstpnin** · 2007-12-01, 23:59

Thanks so much again, Steam, for all your help. Couldn't have done it without you (obviously)

One last side question -- can you recommend any firewall programs for Vista? Or just stick with Windows Firewall?

Thanks,
Mitch

**steamwiz** · 2007-12-02, 23:22

Hi

You're very welcome ...

I've always been very satisfied with Zonealarm free firewalls both on XP & before that on my win98 ...

I know they've had a lot of teething troubles with running it with vista, but I believe most if them are worked out, though I know some people still have trouble running it with vista...

Zonealarm Free 7.1.100.000 - Size / OS: 17.5 MB, Windows 2K/XP/Vista

http://www.softpedia.com/get/Securit...arm-Free.shtml

The FREE Comodo Firewall is supposed to work well with vista .. But I can't guarantee it, some people can't get it to work either ...

http://www.bestvistadownloads.com/so...-gfybevki.html

steam

**aicstpnin** · 2007-12-03, 03:51

Thanks so much for the tips and advice! Is there anything else I should do?

Mitch

**steamwiz** · 2007-12-03, 19:07

You're welcome...

If you are looking for tips to keep your computer secure, then this is a good read :-

http://forums.spybot.info/showthread.php?t=279

steam

Thread: Virtumonde and Virtumonde.generic

Thread Tools

Display

new combofix log

new Kaspersky scan

And you're correct!

Posting Permissions